Android forensic analysis with Autopsy

Nowadays, we have lots of commercial mobile forensics suites. Oxygen Forensic Analyst and Detective, Cellebrite UFED, MSAB XRY are just a few of them. Of course, these tools are very, even extremely, powerful and are able to extract huge datasets from lots of mobile devices including Android. But it’s always good to have an open source alternative to the commercial ones. And we have good news: there is an open -source tool called Autopsy, suitable for Android mobile forensic examinations.

Of course, this tool is not a new one. It’s used globally by thousands of digital forensic examiners for traditional computer forensics, especially file system forensics. This open-source tool was created as a graphical interface for the Sleuth Kit, but since version – 3, it was completely rewritten and became Windows-based.

The most current version is 4.0. It’s very important to note that it has the Android Analyzer Module, which makes it possible to extract the following artifacts:

Text messages (SMS / MMS);

Call logs

Contacts

Tango messages

Words with Friends messages

GPS from the browser and Google Maps

GPS from cache.wifi and cache.cell files

But this is not the only module suitable for Android forensics. There are also such important modules as EXIF Parser Module, Keyword Search Module, PhotoRec Carver Module and some others.

Let’s create a case and add an Android physical image. Start the suite and you’ll see the Welcome window:

We need to create a new case, so choose the corresponding option.

It’s time to start filling in our case information:

Start with the case name, choose WeAre4n6_Android_Test – our base directory is D:\, but you can choose your own, so our data will be stored in D:\ WeAre4n6_Android_Test.

Setting the case number and examiner’s name is optional, so you can skip this step if you want:

Choose our data source:

In our case, it’s an Android userdata partition physical image (userdata.dd), located at C:\Users\Olly\Desktop. Don’t forget about setting the correct time zone!